A group of hackers, allegedly from Russia, found a fundamental flaw in Microsoft Windows and exploited it to spy on Western governments, NATO, European energy companies and an academic organization in the United States.
That’s according to new research from iSight Partners, a Dallas-based cybersecurity firm.
Last month, the U.S. and the U.K. were preparing to meet at a NATO summit to talk about Ukraine. Emails were flying back and forth. Different experts were offering to talk at the conference. And in the midst of all the digital traffic, hackers jumped into the conversation.
Patrick McBride, a spokesman with iSight, says the hackers targeted specific officials using a well-known kind of attack called spear-phishing. Hackers would craft a message with a PowerPoint document attached. For example, they’d say, “We’d like to be involved in the conference.”
And when an unknowing recipient opened the corrupted PowerPoint, the file was exploited to load a piece of malware onto the computer that the attacker could then use later to “exfiltrate documents,” McBride says.
The hacker group, dubbed the “Sandworm Team,” allegedly pulled emails and documents off computers from NATO, Ukrainian government groups, Western European government officials, and energy sector and telecommunications firms.
In the mad dash to grab information, McBride says, the hackers got a little sloppy and dropped hints about their identity. He says they’re Russian, “but we can’t pinpoint if they work for the Russian government or work in a particular department in the government.”
The Russian embassy did not immediately respond to NPR’s inquiry. Microsoft says that Tuesday, it’s patching the security flaw so that PowerPoint and other Office products can’t be exploited again in the same way.
Lonnie Benavides, a researcher with the cybersecurity services firm DocuSign, says if the findings are true, they represent an interesting turn of events. “Typically Russians stick to making money, stick to stealing credit cards and identities as far as trends go,” he says.
Federal authorities are investigating the role of Russian hackers in the major breach against JPMorgan Chase.
Benavides says Russia provides an enabling environment for cyber offenses — whether it’s crime like stealing credit cards, or espionage to steal state secrets — because the country has some very talented hackers who do not get prosecuted.
“I’m certainly not seeing waves of people that are being put in jail, in order to send a message, in order for this to stop,” he says.
Even though the iSight report points to code that was in the Russian language, Benavides would not jump to the conclusion that the hacker group is state-sponsored or even from Russia. “There’s an attribution problem,” he says.